diff --git a/SOURCES/squid-4.4.0-CVE-2019-12527.patch b/SOURCES/squid-4.4.0-CVE-2019-12527.patch
new file mode 100644
index 0000000..ea950f5
--- /dev/null
+++ b/SOURCES/squid-4.4.0-CVE-2019-12527.patch
@@ -0,0 +1,139 @@
+commit 7f73e9c5d17664b882ed32590e6af310c247f320
+Author: Amos Jeffries <yadij@users.noreply.github.com>
+Date: 2019-06-19 05:58:36 +0000
+
+ Update HttpHeader::getAuth to SBuf (#416)
+
+ Replace the fixed-size buffer for decoding base64 tokens with an
+ SBuf to avoid decoder issues on large inputs.
+
+ Update callers to SBuf API operations for more efficient memory
+ management.
+
+diff --git a/src/HttpHeader.cc b/src/HttpHeader.cc
+index 1e2b650..284a057 100644
+--- a/src/HttpHeader.cc
++++ b/src/HttpHeader.cc
+@@ -1268,43 +1268,46 @@ HttpHeader::getContRange() const
+ return cr;
+ }
+
+-const char *
+-HttpHeader::getAuth(Http::HdrType id, const char *auth_scheme) const
++SBuf
++HttpHeader::getAuthToken(Http::HdrType id, const char *auth_scheme) const
+ {
+ const char *field;
+ int l;
+ assert(auth_scheme);
+ field = getStr(id);
+
++ static const SBuf nil;
+ if (!field) /* no authorization field */
+- return NULL;
++ return nil;
+
+ l = strlen(auth_scheme);
+
+ if (!l || strncasecmp(field, auth_scheme, l)) /* wrong scheme */
+- return NULL;
++ return nil;
+
+ field += l;
+
+ if (!xisspace(*field)) /* wrong scheme */
+- return NULL;
++ return nil;
+
+ /* skip white space */
+ for (; field && xisspace(*field); ++field);
+
+ if (!*field) /* no authorization cookie */
+- return NULL;
++ return nil;
+
+- static char decodedAuthToken[8192];
++ const auto fieldLen = strlen(field);
++ SBuf result;
++ char *decodedAuthToken = result.rawAppendStart(BASE64_DECODE_LENGTH(fieldLen));
+ struct base64_decode_ctx ctx;
+ base64_decode_init(&ctx);
+ size_t decodedLen = 0;
+- if (!base64_decode_update(&ctx, &decodedLen, reinterpret_cast<uint8_t*>(decodedAuthToken), strlen(field), field) ||
++ if (!base64_decode_update(&ctx, &decodedLen, reinterpret_cast<uint8_t*>(decodedAuthToken), fieldLen, field) ||
+ !base64_decode_final(&ctx)) {
+- return NULL;
++ return nil;
+ }
+- decodedAuthToken[decodedLen] = '\0';
+- return decodedAuthToken;
++ result.rawAppendFinish(decodedAuthToken, decodedLen);
++ return result;
+ }
+
+ ETag
+diff --git a/src/HttpHeader.h b/src/HttpHeader.h
+index a26b127..3b262be 100644
+--- a/src/HttpHeader.h
++++ b/src/HttpHeader.h
+@@ -134,7 +134,7 @@ public:
+ HttpHdrRange *getRange() const;
+ HttpHdrSc *getSc() const;
+ HttpHdrContRange *getContRange() const;
+- const char *getAuth(Http::HdrType id, const char *auth_scheme) const;
++ SBuf getAuthToken(Http::HdrType id, const char *auth_scheme) const;
+ ETag getETag(Http::HdrType id) const;
+ TimeOrTag getTimeOrTag(Http::HdrType id) const;
+ int hasListMember(Http::HdrType id, const char *member, const char separator) const;
+diff --git a/src/cache_manager.cc b/src/cache_manager.cc
+index da22f7a..2fae767 100644
+--- a/src/cache_manager.cc
++++ b/src/cache_manager.cc
+@@ -27,6 +27,7 @@
+ #include "mgr/FunAction.h"
+ #include "mgr/QueryParams.h"
+ #include "protos.h"
++#include "sbuf/StringConvert.h"
+ #include "SquidConfig.h"
+ #include "SquidTime.h"
+ #include "Store.h"
+@@ -243,20 +244,20 @@ CacheManager::ParseHeaders(const HttpRequest * request, Mgr::ActionParams ¶m
+ // TODO: use the authentication system decode to retrieve these details properly.
+
+ /* base 64 _decoded_ user:passwd pair */
+- const char *basic_cookie = request->header.getAuth(Http::HdrType::AUTHORIZATION, "Basic");
++ const auto basic_cookie(request->header.getAuthToken(Http::HdrType::AUTHORIZATION, "Basic"));
+
+- if (!basic_cookie)
++ if (basic_cookie.isEmpty())
+ return;
+
+- const char *passwd_del;
+- if (!(passwd_del = strchr(basic_cookie, ':'))) {
++ const auto colonPos = basic_cookie.find(':');
++ if (colonPos == SBuf::npos) {
+ debugs(16, DBG_IMPORTANT, "CacheManager::ParseHeaders: unknown basic_cookie format '" << basic_cookie << "'");
+ return;
+ }
+
+ /* found user:password pair, reset old values */
+- params.userName.limitInit(basic_cookie, passwd_del - basic_cookie);
+- params.password = passwd_del + 1;
++ params.userName = SBufToString(basic_cookie.substr(0, colonPos));
++ params.password = SBufToString(basic_cookie.substr(colonPos+1));
+
+ /* warning: this prints decoded password which maybe not be what you want to do @?@ @?@ */
+ debugs(16, 9, "CacheManager::ParseHeaders: got user: '" <<
+diff --git a/src/clients/FtpGateway.cc b/src/clients/FtpGateway.cc
+index b958b14..7ca5d24 100644
+--- a/src/clients/FtpGateway.cc
++++ b/src/clients/FtpGateway.cc
+@@ -1050,7 +1050,7 @@ Ftp::Gateway::checkAuth(const HttpHeader * req_hdr)
+
+ #if HAVE_AUTH_MODULE_BASIC
+ /* Check HTTP Authorization: headers (better than defaults, but less than URL) */
+- const SBuf auth(req_hdr->getAuth(Http::HdrType::AUTHORIZATION, "Basic"));
++ const auto auth(req_hdr->getAuthToken(Http::HdrType::AUTHORIZATION, "Basic"));
+ if (!auth.isEmpty()) {
+ flags.authenticated = 1;
+ loginParser(auth, false);
diff --git a/SPECS/squid.spec b/SPECS/squid.spec
index 1696777..f2aeafc 100644
--- a/SPECS/squid.spec
+++ b/SPECS/squid.spec
@@ -2,7 +2,7 @@
Name: squid
Version: 4.4
-Release: 4%{?dist}
+Release: 5%{?dist}
Summary: The Squid proxy caching server
Epoch: 7
# See CREDITS for breakdown of non GPLv2+ code
@@ -36,6 +36,10 @@ Patch206: squid-4.4.0-active-ftp.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1612524
Patch207: squid-4.4.0-man-pages.patch
+# security fixes
+# https://bugzilla.redhat.com/show_bug.cgi?id=1744672
+Patch500: squid-4.4.0-CVE-2019-12527.patch
+
Requires: bash >= 2.0
Requires(pre): shadow-utils
Requires(post): systemd
@@ -93,6 +97,8 @@ lookup program (dnsserver), a program for retrieving FTP data
%patch206 -p1 -b .active-ftp
%patch207 -p1 -b .man-pages
+%patch500 -p1 -b .CVE-2019-12527
+
%build
# cppunit-config patch changes configure.ac
autoconf
@@ -295,6 +301,10 @@ fi
%changelog
+* Fri Aug 23 2019 Lubos Uhliarik <luhliari@redhat.com> - 7:4.4-5
+- Resolves: #1744672 - CVE-2019-12527 squid:4/squid: heap-based buffer overflow
+ in HttpHeader::getAuth
+
* Tue Dec 11 2018 Lubos Uhliarik <luhliari@redhat.com> - 7:4.4-4
- Resolves: #1612524 - Man page scan results for squid